I configured a 2-factor login with a Nitrokey on my Manjaro desktop. I changed my system-local-login in /ect/pam.d by adding a second line. The first two lines are:
auth include system-login
auth required pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue [cue_prompt=Please touch the device.] prompt
With this change, a regular user login on tty3 works as expected - I am asked for my password, and then have to touch the nitrokey.
The unexpected side effect is that a root login on tty3 no longer works. After entering root as the user name, I get prompted for the password. I put in the root password. Instead of receiving a nitrokey prompt (or being successfully logged in), there is just a wait, followed by “login incorrect”.
Meanwhile, in a terminal on the graphical desktop, I can su, enter my root password, and I am logged in as root. So the root password cannot be wrong or forgotten. How can it work in a terminal on the graphical desktop but not on tty3?
I don’t think. Documentation says clearly about about user per line. Maybe better create different files and puth them in ~/.config/Yubico/u2f_keys and for pam pass without authfile
auth required pam_u2f.so cue [cue_prompt=Please touch the device.] prompt
or enable expansion path and put them in /etc/Nitrokey/<username> and for pam configure this way
